Cisco ASA Site To Site VPN IKEv1 “Using CLI”

KB ID 0000050

Problem

Note: This is for Cisco ASA 5500, 5500-x, and Cisco Firepower devices running ASA Code.

Note: This is quite an OLD POST, only use these instructions if you need to create a VPN tunnel that uses IKEv1, (i.e. The other end is not a Cisco ASA, or it’s a Cisco ASA running code older than 8.4). You can still use an IKEv1 tunnel of course, so this article is still valid, it’s just IKEv2 has some better levels of encryption.

Everyone else, go to the following article instead!

Cisco Site To Site VPN IKEv2 “Using CLI”

You want a secure IPSEC VPN between two sites.

Solution

Note: There have been a number of changes both in NAT and IKE on the Cisco ASA that mean commands will vary depending on the OS that the firewall is running, make sure you know what version your firewall is running (either by looking at the running config or issue a “sho ver” command).

Note 2: Cisco introduced IKE version 2 with ASA 8.4(x). This assumes we are configuring a tunnel using IKE version 1. (For version 2, both ends need to be running version 8.4(x) or greater).

Before you start – you need to ask yourself “Do I already have any IPSEC VPN’s configured on this firewall?” Because if it’s not already been done, you need to enable ISAKMP on the outside interface. To ascertain whether yours is on or off, issue a “show run crypto ” command and check the results, if you do NOT see “crypto isakmp enable outside” or “crypto ikev1 enable outside” then you need to issue that command.

[box]

Firewall Running an OS of 8.4(x) or newer

PetesASA# show run crypto
crypto ikev1 enable outside << Mines already enabled and its IKE version1
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
PetesASA#

Firewall Running an OS Earlier than 8.4(x) 

PetesASA# show run crypto
crypto isakmp enable outside << Mines already enabled.
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
PetesASA#

[/box]

1. I’m going to create access control lists next, one to tell the ASA what is “Interesting traffic”, that’s traffic that it needs to encrypt. If you are running an ASA older than version 8.3(x) you will need to create a second access list to STOP the ASA performing NAT on the traffic that travels over the VPN.

Warning: (ASA Version 8.3 or older): If you already have NAT excluded traffic on the firewall (for other VPN’s) this will BREAK THEM – to see if you do, issue a “show run nat” command, if you already have a nat (inside) 0 access-list {name} entry, then use that {name} NOT the one in my example.

So below I’m saying “Don’t NAT Traffic from the network behind the ASA (10.254.254.0) that’s going to network behind the VPN device at the other end of the tunnel (172.16.254.0).

[box]

Firewall Running an OS of 8.3(x) or newer

PetesASA(config)#object network Site-A-SN
PetesASA(config-network-object)#subnet 10.254.254.0 255.255.255.0
PetesASA(config)#object network Site-B-SN
PetesASA(config-network-object)#subnet 172.16.254.0 255.255.255.0
PetesASA(config)#access-list VPN-INTERESTING-TRAFFIC line 1 extended permit ip object Site-A-SN object Site-B-SN
PetesASA(config)#nat (inside,outside) source static Site-A-SN Site-A-SN destination static Site-B-SN Site-B-SN no-proxy-arp route-lookup

Firewall Running an OS Earlier than 8.3(x) 

PetesASA(config)# access-list VPN-INTERESTING-TRAFFIC line 1 extended permit 
ip 10.254.254.0 255.255.255.0 172.16.254.0 255.255.255.0
PetesASA(config)# access-list NO-NAT-TRAFFIC line 1 extended permit 
ip 10.254.254.0 255.255.255.0 172.16.254.0 255.255.255.0
PetesASA(config)#nat (inside) 0 access-list NO-NAT-TRAFFIC

[/box]

2. Now I’m going to create a “Tunnel Group” to tell the firewall it’s a site to site VPN tunnel “l2l”, and create a shared secret that will need to be entered at the OTHER end of the site to site VPN Tunnel. I also set a keep alive value.

Note: Ensure the Tunnel Group Name is the IP address of the firewall/device that the other end of the VPN Tunnel is terminating on.

[box]

PetesASA(config)# tunnel-group 123.123.123.123 type ipsec-l2l
PetesASA(config)# tunnel-group 123.123.123.123 ipsec-attributes
PetesASA(config-tunnel-ipsec)# pre-shared-key 1234567890
PetesASA(config-tunnel-ipsec)# isakmp keepalive threshold 10 retry 2
PetesASA(config-tunnel-ipsec)# exit

[/box]

3. Now we need to create a policy that will setup how “Phase 1” of the VPN tunnel will be established, we have already put in a shared secret, this policy will make sure we use it. It also sets the encryption type (3DES), the hashing algorithm (SHA) and the Level of PFS (Group 2). Finally it sets the timeout before phase 1 needs to be re-established. It sets the timeout value to 86400 seconds (that’s 1440 Minutes – or 24 hours if your still confused 🙂 ).

[box]

Firewall Running an OS of 8.4(x) or newer

PetesASA(config)# crypto ikev1 policy 10
PetesASA(config-ikev1-policy)#authentication pre-share
PetesASA(config-ikev1-policy)#hash sha
PetesASA(config-ikev1-policy)#group 2 
PetesASA(config-ikev1-policy)#lifetime 86400

Firewall Running an OS Earlier than 8.4(x)

PetesASA(config)# crypto isakmp policy 10 authen pre-share
PetesASA(config)# crypto isakmp policy 10 encrypt 3des
PetesASA(config)# crypto isakmp policy 10 hash sha
PetesASA(config)# crypto isakmp policy 10 group 2
PetesASA(config)# crypto isakmp policy 10 lifetime 86400

[/box]

4. We stated above that we are going to use 3DES and SHA so we need a “Transform Set” that matches. [box]

Firewall Running an OS of 8.4(x) or newer

PetesASA(config)# crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

Firewall Running an OS Earlier than 8.4(x)

PetesASA(config)# crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

[/box]

5. Finally we need to create a “Cryptomap” to handle “Phase 2” of the VPN Tunnel, that also will use 3DES and SHA and PFS. And last of all we apply that Cryptomap to the outside interface.

[box]

Firewall Running an OS of 8.4(x) or newer

PetesASA(config)# crypto map outside_map 1 match address VPN-INTERESTING-TRAFFIC 
PetesASA(config)# crypto map outside_map 1 set pfs group2 
PetesASA(config)# crypto map outside_map 1 set peer 123.123.123.123 
PetesASA(config)# crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA 
PetesASA(config)# crypto map outside_map interface outside

Firewall Running an OS Earlier than 8.4(x)

PetesASA(config)# crypto map outside_map 1 match address VPN-INTERESTING-TRAFFIC 
PetesASA(config)# crypto map outside_map 1 set pfs group2 
PetesASA(config)# crypto map outside_map 1 set peer 123.123.123.123 
PetesASA(config)# crypto map outside_map 1 set transform-set ESP-3DES-SHA 
PetesASA(config)# crypto map outside_map interface outside

[/box]

5. Don’t forget to save your hard work with a “write mem” command.

[box]

PetesASA(config)#
PetesASA(config)# write mem
Building configuration...
Cryptochecksum: 5c8dfc45 ee6496db 8731d2d5 fa945425

8695 bytes copied in 3.670 secs (2898 bytes/sec)
[OK]
PetesASA(config)#

[/box]

6. Simply configure the other end as a “Mirror Image” of this one.

ASA 5500 Site to Site VPN Copy and Paste Config

Note: This uses AES and SHA. It also assumes your outside interface is called ‘outside’. Check! I’ve seen them called Outside (capital O), wan, and WAN.

[box]

crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
!
object network OBJ-MainSite
subnet 10.0.0.0 255.255.255.0
object network OBJ-RemoteSite
subnet 10.0.3.0 255.255.255.0
!
access-list VPN-INTERESTING-TRAFFIC extended permit ip object OBJ-MainSite object OBJ-RemoteSite
nat (inside,outside) source static OBJ-MainSite OBJ-MainSite destination static OBJ-RemoteSite OBJ-RemoteSite no-proxy-arp route-lookup
!
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
pre-shared-key 1234567
isakmp keepalive threshold 10 retry 2
!
crypto ipsec ikev1 transform-set VPN-TRANSFORM esp-aes-256 esp-sha-hmac
!
crypto map CRYPTO-MAP 1 match address VPN-INTERESTING-TRAFFIC
crypto map CRYPTO-MAP 1 set pfs group2
crypto map CRYPTO-MAP 1 set peer 2.2.2.2
crypto map CRYPTO-MAP 1 set ikev1 transform-set VPN-TRANSFORM
crypto map CRYPTO-MAP interface outside
[/box]

Simply change the values in red where;

  • 10.0.00 255.255.255.0 is the network behind the ASA you are working on.
  • 10.0.3.0 255.255.255.0 is the destination network behind the device you are connecting to.
  • 2.2.2.2 is the peer IP address of the device you are attempting to connect to.
  • 1234567 Is the shared secret you will use at both ends.

Related Articles, References, Credits, or External Links

Original Article Written 07/06/11, updated 20/04/14

Cisco ASA Static (One to One) NAT Translation

KB ID 0000691

Problem

Note: This is for Cisco ASA 5500, 5500-x, and Cisco Firepower devices running ASA Code.

If you have a spare/available public IP address you can statically map that IP address to one of your network hosts, (i.e. for a mail server, or a web server, that needs public access).

This is commonly referred to as a ‘Static NAT’, or a ‘One to One translation’. Where all traffic destined for public address A, is sent to private address X.

Note: This solution is for firewalls running versions above version 8.3. If you are unsure what version you are running use the following article.

Find out your Cisco ASA version (Operating system and ASDM)

If you only have one public IP address you would need to carry out port forwarding instead.

Cisco ASA 5500 (and PIX) Port Forwarding

Solution

In the following example I will statically NAT a public IP address of 81.81.81.82 to a private IP address behind the ASA of 172.16.254.1. Finally I will allow traffic to it, (in this example I will allow TCP Port 80 HTTP/WWW traffic as if this is a web server).

Create a Static NAT and allow web traffic via ASDM

Note for the command line alternative see below.

1. Connect to the ADSM.

2. Configuration > Firewall > NAT Rules > Add > Add “Network Object” NAT Rule.

3. Give the ‘object’ a name (I usually prefix them with obj-{name}) > It’s a Host > Type in it’s PRIVATE IP address > Tick the NAT section (press the drop-down if its hidden) > Static > Enter it’s PUBLIC IP address > Advanced > Source = Inside > Destination > Outside > Protocol TCP. Note: You could set this to IP, but I’m going to allow HTTP with an ACL in a minute, so leave it on TCP > OK > OK > Apply.

4. Now navigate to Firewall > Access Rule > Add > Add Access Rule.

5. Interface = outside > Permit > Source = any > Destination = PRIVATE IP of the host > Service > Press the ‘more’ button > Locate TCP/HTTP > OK > OK > Apply.

6. Then save your work with a File > Save Running Configuration to Flash.

Create a Static NAT and allow web traffic via Command Line

1. Connect to the ASA via Command Line.

2. Log In > Go to enable mode > Go to configure terminal mode.

[box]

User Access Verification

Password:*******
 
Type help or '?' for a list of available commands.
 PetesASA> enable
 Password: *******
 PetesASA# conf t
 PetesASA(config)
[/box]

3. First I’m going to allow the traffic to the host (Note: after version 8.3 we allow traffic to the private (per-translated IP address). This assumes you don’t have an inbound access list if you are unsure execute a “show run access-group” and if you have one applied substitute that name for the word ‘inbound’.

Warning before carrying out applying the ‘access-group’ command, see the following article;

Cisco ASA – ‘access-group’ Warning

[box]

PetesASA(config)# access-list inbound permit tcp any host 172.16.254.1
PetesASA(config)# access-group inbound in interface outside[/box]

4. Then to create the static translation.

[box]

PetesASA(config)# object network obj-172.16.254.1 
PetesASA(config-network-object)# host 172.16.254.1 
PetesASA(config-network-object)# nat (inside,outside) static 81.81.81.82 
PetesASA(config-network-object)# exit 
PetesASA(config)#
[/box]

5. Then save the changes.

[box]
PetesASA(config)# wr mem 

Building configuration... 
Cryptochecksum: 89faae4b 7480baa4 bf634e87 470d2d30 
6224 bytes copied in 1.10 secs (6224 bytes/sec) 
[OK]
[/box]

Static NAT Commands to Copy & Paste

[box]

access-list inbound permit tcp any host 172.16.254.1
access-group inbound in interface outside
object network obj-172.16.254.1
 host 172.16.254.1
 nat (inside,outside) static 81.81.81.82
[/box]

Note: Check and change the values in bold as appropriate

Related Articles, References, Credits, or External Links

NA

Cisco ASA AnyConnect VPN ‘Using CLI’

KB ID 0000943

Problem

Note: This is for Cisco ASA 5500, 5500-x, and Cisco FTD running ASA Code.

Also See Cisco ASA AnyConnect VPN ‘Using ASDM’

This procedure was done on Cisco ASA (post) version 8.4, so it uses all the newer NAT commands. I’m also going to use self signed certificates so you will see this error when you attempt to connect.

Solution

1. The first job is to go get the AnyConnect client package(s), download them from Cisco, (with a current support agreement). Then copy them into the firewall via TFTP. If you are unsure how to do that see the following article.

Install and Use a TFTP Server

[box]

Petes-ASA(config)# copy tftp flash

Address or name of remote host [10.254.254.183]? 192.168.80.1

Source filename []?anyconnect-win-4.7.02036-webdeploy-k9.pkg

Destination filename [anyconnect-win-4.7.02036-webdeploy-k9.pkg]? {Enter}

Accessing tftp://192.168.80.1/anyconnect-win-4.7.02036-webdeploy-k9.pkg
.........!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Writing file disk0:/anyconnect-win-4.7.02036-webdeploy-k9.pkg...
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

4807912 bytes copied in 549.790 secs (8757 bytes/sec)
Petes-ASA(config)#

[/box]

2. Create a ‘pool’ of IP addresses that the ASA will allocate to the remote clients, also create a network object that covers that pool of addresses we will use later.

[box]

Petes-ASA(config)# ip local pool ANYCONNECT-POOL 192.168.100.1-192.168.100.254 mask 255.255.255.0
Petes-ASA(config)# object network OBJ-ANYCONNECT-SUBNET
Petes-ASA(config-network-object)# subnet 192.168.100.0 255.255.255.0

[/box]

3. Enable webvpn, set the package to the one you uploaded earlier, then turn on AnyConnect.

[box]

Petes-ASA(config)# webvpn
Petes-ASA(config-webvpn)# enable outside
INFO: WebVPN and DTLS are enabled on 'outside'.
Petes-ASA(config-webvpn)# tunnel-group-list enable
Petes-ASA(config-webvpn)# anyconnect image disk0:/anyconnect-win-4.8.02042-webdeploy-k9.pkg 1 
Petes-ASA(config-webvpn)# anyconnect enable

[/box]

4. I’m going to create a LOCAL username and password, I suggest you do the same, then once you have proved it’s working OK, you can. change the authentication method, (see links below). I’m also going to create an ACL that we will use for split-tunneling in a minute.

[box]

Petes-ASA(config)# username PeteLong password Password123
Petes-ASA(config)# access-list SPLIT-TUNNEL standard permit 10.0.0.0 255.255.255.0

[/box]

5. Create a group policy, change the values to match your DNS server(s), and domain name accordingly.

[box]

Petes-ASA(config)# group-policy GroupPolicy_ANYCONNECT-PROFILE internal
Petes-ASA(config)# group-policy GroupPolicy_ANYCONNECT-PROFILE attributes
Petes-ASA(config-group-policy)# vpn-tunnel-protocol ssl-client
Petes-ASA(config-group-policy)# dns-server value 10.0.0.10 10.0.0.11
Petes-ASA(config-group-policy)# split-tunnel-policy tunnelspecified
Petes-ASA(config-group-policy)# split-tunnel-network-list value SPLIT-TUNNEL
Petes-ASA(config-group-policy)# default-domain value petenetlive.com

[/box]

6. Create a matching tunnel-group that ties everything together.

[box]

Petes-ASA(config-group-policy)# tunnel-group ANYCONNECT-PROFILE type remote-access
Petes-ASA(config)# tunnel-group ANYCONNECT-PROFILE general-attributes
Petes-ASA(config-tunnel-general)# default-group-policy GroupPolicy_ANYCONNECT-PROFILE
Petes-ASA(config-tunnel-general)# address-pool ANYCONNECT-POOL
Petes-ASA(config-tunnel-general)# tunnel-group ANYCONNECT-PROFILE webvpn-attributes
Petes-ASA(config-tunnel-webvpn)# group-alias ANYCONNECT-PROFILE enable

[/box]

7. Then stop any traffic that is going to, (or coming from) the remote clients from being NATTED.

[box]

Petes-ASA(config)# nat (inside,outside) 2 source static any any destination static OBJ-ANYCONNECT-SUBNET OBJ-ANYCONNECT-SUBNET no-proxy-arp route-lookup

[/box]

8. Save the changes.

[box]

PetesASA(config)# write mem
Building configuration...
Cryptochecksum: 5c8dfc45 ee6496db 8731d2d5 fa945425

8695 bytes copied in 3.670 secs (2898 bytes/sec)
[OK]
PetesASA(config)#

[/box]

9. Give it a test from a remote client.

AnyConnect Commands to Copy and Paste

Simply change the values shown in red;

[box]

!
ip local pool ANYCONNECT-POOL 192.168.100.1-192.168.100.254 mask 255.255.255.0
!
object network OBJ-ANYCONNECT-SUBNET
 subnet 192.168.100.0 255.255.255.0
!
webvpn
enable outside
tunnel-group-list enable
anyconnect image disk0:/anyconnect-win-4.7.02036-webdeploy-k9.pkg 1
anyconnect enable
!
username PeteLong password Password123
!
access-list SPLIT-TUNNEL standard permit 10.0.0.0 255.0.0.0
!
group-policy GroupPolicy_ANYCONNECT-PROFILE internal
group-policy GroupPolicy_ANYCONNECT-PROFILE attributes
vpn-tunnel-protocol ssl-client
dns-server value 10.0.0.10 10.0.0.11
wins-server none
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT-TUNNEL
default-domain value petenetlive.com
!
tunnel-group ANYCONNECT-PROFILE type remote-access
tunnel-group ANYCONNECT-PROFILE general-attributes
default-group-policy GroupPolicy_ANYCONNECT-PROFILE
address-pool ANYCONNECT-POOL
tunnel-group ANYCONNECT-PROFILE webvpn-attributes
group-alias ANYCONNECT-PROFILE enable
!
nat (inside,outside) source static any any destination static OBJ-ANYCONNECT-SUBNET OBJ-ANYCONNECT-SUBNET no-proxy-arp route-lookup
!

[/box]

Related Articles, References, Credits, or External Links

Cisco ASA AnyConnect VPN ‘Using ASDM’

AnyConnect: Allow ‘Local’ LAN Access

Cisco AnyConnect – Essentials / Premium Licences Explained

Cisco AnyConnect – PAT External VPN Pool To An Inside Address

AnyConnect (AAA) Authentication Methods

Kerberos Authentication (Cisco ASA)

LDAP Authenticaiton (Cisco ASA)

RADIUS Authentication(Cisco ASA)

Duo 2FA Authentication (Cisco ASA)

Cisco – Testing AAA Authentication (Cisco ASA and IOS)

Cisco ASA Site To Site VPN IKEv2 “Using CLI”

KB ID 0001429

Problem

Note: This is for Cisco ASA 5500, 5500-x, and Cisco Firepower devices running ASA Code.

You want a secure IPSEC VPN between two sites using IKEv2.

Note: If the device you are connecting to does not support IKEv2 (i.e. it’s not a Cisco ASA, or it’s running code older than 8.4) then you need to go to the older version of this article;

Cisco ASA 5500 Site to Site VPN IKEv1 (From CLI)

Solution

Before you start – you need to ask yourself “Do I already have any IPSEC VPN’s configured on this firewall?” Because if it’s not already been done, you need to enable ISAKMP IKEv2 on the outside interface. To ascertain whether yours is on or off, issue a “show run crypto ” command and check the results, if you do NOT see  “crypto ikev2 enable outside” then you need to issue that command.

[box]

PetesASA# show run crypto
crypto ikev2 enable outside << Mines already enabled and its IKE version 2
crypto ikev2 policy 10
 encryption aes-256
 integrity sha256
 group 19
 prf sha256
 lifetime seconds 86400
crypto ikev2 enable outside

[/box]

1. I’m going to create access control lists next, one to tell the ASA what is “Interesting traffic”, that’s traffic that it needs to encrypt.

So below I’m saying “Don’t NAT Traffic from the network behind the ASA (10.254.254.0) that’s going to network behind the VPN device at the other end of the tunnel (172.16.254.0).

[box]

PetesASA(config)#object network Site-A-SN
PetesASA(config-network-object)#subnet 10.254.254.0 255.255.255.0
PetesASA(config)#object network Site-B-SN
PetesASA(config-network-object)#subnet 172.16.254.0 255.255.255.0
PetesASA(config)#access-list VPN-INTERESTING-TRAFFIC line 1 extended permit 
ip object Site-A-SN object Site-B-SN
PetesASA(config)#nat (inside,outside) source static Site-A-SN Site-A-SN 
destination static Site-B-SN Site-B-SN no-proxy-arp route-lookup

[/box]

2. Now I’m going to create a “Tunnel Group” to tell the firewall it’s a site to site VPN tunnel “l2l”, and create a shared secret that will need to be entered at the OTHER end of the site to site VPN Tunnel. I also set a keep alive value.

Note: Ensure the Tunnel Group Name is the IP address of the firewall/device that the other end of the VPN Tunnel is terminating on.

[box]

PetesASA(config)# tunnel-group 123.123.123.123 type ipsec-l2l
PetesASA(config)# tunnel-group 123.123.123.123 ipsec-attributes
PetesASA(config-tunnel-ipsec)# ikev2 remote-authentication pre-shared-key 1234567890
PetesASA(config-tunnel-ipsec)# ikev2 local-authentication pre-shared-key 1234567890
PetesASA(config-tunnel-ipsec)# isakmp keepalive threshold 10 retry 2
PetesASA(config-tunnel-ipsec)# exit

[/box]

3. Now we need to create a policy that will setup how “Phase 1” of the VPN tunnel will be established. It sets the encryption type (AES-256), the hashing/integrity algorithm (SHA-256), The Diffie Hellman group exchange version, and the Level of PRF (Pseudo Random Function). Finally it sets the timeout before phase 1 needs to be re-established. It sets the timeout value to 86400 seconds (That’s 1440 Minutes – or 24 hours if your still confused 🙂 ).

[box]

PetesASA(config)# crypto ikev2 policy 10
PetesASA(config-ikev1-policy)# encryption aes-256
PetesASA(config-ikev1-policy)# integrity sha256
PetesASA(config-ikev1-policy)# group 19
PetesASA(config-ikev1-policy)# prf sha256
PetesASA(config-ikev1-policy)# lifetime 86400

[/box]

4. We stated above that we are going to use AES-256 and SHA-256, for Phase 1, so let’s use the same for the IPSEC proposal (Phase 2), ‘Transform Set’.

[box]

PetesASA(config)# crypto ipsec ikev2 ipsec-proposal VPN-TRANSFORM
PetesASA(config-ipsec-proposal)# protocol esp encryption aes-256
PetesASA(config-ipsec-proposal)# protocol esp integrity sha-1

[/box]

5. Finally we need to create a “Cryptomap”, this is the ‘thing’ that fires up the tunnel, when the ACL INTERESTING TRAFFIC is used, it also defines the transform set for “Phase 2” of the VPN Tunnel, that will also use 3DES and SHA and PFS. And last of all we apply that Cryptomap to the outside interface.

[box]

PetesASA(config)# crypto map CRYPTO-MAP 1 match address VPN-INTERESTING-TRAFFIC 
PetesASA(config)# crypto map CRYPTO-MAP 1 set peer 123.123.123.123
PetesASA(config)# crypto map CRYPTO-MAP 1 set ikev2 ipsec-proposal VPN-TRANSFORM
PetesASA(config)# crypto map CRYPTO-MAP interface outside
 

[/box]

5. Don’t forget to save your hard work with a “write mem” command.

[box]

PetesASA(config)#
PetesASA(config)# write mem
Building configuration...
Cryptochecksum: 5c8dfc45 ee6496db 8731d2d5 fa945425

8695 bytes copied in 3.670 secs (2898 bytes/sec)
[OK]
PetesASA(config)#

[/box]

6. Simply configure the other end as a “Mirror Image” of this one.

ASA 5500 Site to Site IKEv2 VPN Copy and Paste Config

Note: This uses AES-256 and SHA-256. It also assumes your outside interface is called ‘outside’. Check! I’ve seen them called Outside (capital O), wan, and WAN.

[box]

!
crypto ikev2 policy 10
 encryption aes-256
 integrity sha256
 group 19
 prf sha256
 lifetime seconds 86400
crypto ikev2 enable outside
!
object network OBJ-SITE-A
subnet 10.0.0.0 255.255.255.0
object network OBJ-SITE-B
subnet 10.0.3.0 255.255.255.0
!

access-list VPN-INTERESTING-TRAFFIC extended permit ip object OBJ-SITE-A object OBJ-SITE-B
nat (inside,outside) source static OBJ-SITE-A OBJ-SITE-A destination static OBJ-SITE-B OBJ-SITE-B no-proxy-arp route-lookup
!
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
ikev2 remote-authentication pre-shared-key 1234567
ikev2 local-authentication pre-shared-key 1234567
isakmp keepalive threshold 10 retry 2
!
crypto ipsec ikev2 ipsec-proposal VPN-TRANSFORM
 protocol esp encryption aes-256
 protocol esp integrity sha-1
!
crypto map CRYPTO-MAP 1 match address VPN-INTERESTING-TRAFFIC
crypto map CRYPTO-MAP 1 set peer 2.2.2.2
crypto map CRYPTO-MAP 1 set ikev2 ipsec-proposal VPN-TRANSFORM
crypto map CRYPTO-MAP interface outside
!
 
[/box]

Simply change the values in red where;

  • 10.0.0.0 255.255.255.0 is the network behind the ASA you are working on.
  • 10.0.3.0 255.255.255.0 is the destination network behind the device you are connecting to.
  • 2.2.2.2 is the peer IP address of the device you are attempting to connect to.
  • 1234567 Is the shared secret you will use at both ends.

Related Articles, References, Credits, or External Links

NA

Cisco SFR Cant Ping its Default Gateway?

KB ID 0001575

Problem

This is a strange one? I was deploying FirePOWER to a pair of ASA 5550-8-X firewalls in Active / Standby failover last week. After each SFR was updated (via ASDM.) I could no longer ‘ping it’, the SFR itself could ping everything on the same VLAN, APART from its own default gateway, (which was an SVI on the Cisco 3750 switch it was connected to).

This happened every time I updated the SFR, (or re-imaged it.) Then after an hour or so it was fine?

Solution

If I connected to the switch that the SFR, (and firewall) was connected to, I could NOT ping the SFR. The interface was up/up on the switch, and the firewalls Management interface was also up/up.

[box]

Petes-3750#ping 10.2.1.252

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.1.252, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

[/box]

I did notice it was in the ARP table though, (with the correct MAC address), So I manually removed it;

[box]

Petes-3750#clear ip arp 10.2.1.252

[/box]

Then it was fine?

[box]

Petes-3750#ping 10.2.1.252

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.1.252, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

[/box]

Now the ASDM would connect fine without complaining about the FirePOWER module.

Related Articles, References, Credits, or External Links

NA

Cisco 5506-X / 5512-X SFR Unsupported

KB ID 0001522

Problem

After upgrading an ASA 5506-X to Version 9.10, I was about to re-image the FirePOWER SFR module. I went to load the boot image and this happened;

[box]

sw-module module sfr recover configure image disk0:/asasfr-5500x-boot-6.3.0-3.img
                                                                                 ^
ERROR: % Invalid input detected at '^' marker.

[/box]

At first I thought “Oh great, the syntax has changed, there’s another post to update“. But no, the command is correct. This is what what pointed me in the right direction.

[box]

Petes-ASA# show module

Mod  Card Type                                    Model              Serial No.
---- -------------------------------------------- ------------------ -----------
   1 ASA 5506-X with FirePOWER services, 8GE, AC, ASA5506            JAD1233AAAA
 sfr Unsupported                                 Unsupported

Mod  MAC Address Range                 Hw Version   Fw Version   Sw Version
---- --------------------------------- ------------ ------------ ---------------
   1 6cb2.aede.0106 to 6cb2.aede.010f  2.0          1.1.8        9.10(1)11

Mod  SSM Application Name           Status           SSM Application Version
---- ------------------------------ ---------------- --------------------------

Mod  Status             Data Plane Status     Compatibility
---- ------------------ --------------------- -------------
   1 Up Sys             Not Applicable

[/box]

Solution

FirePOWER SFR IS NO LONGER SUPPORTED ON ASA 5506-X and ASA5512-X

Cisco’s official wording from the 9.10 version release says;

“The ASA 5506-X series and 5512-X no longer support the ASA FirePOWER module in 9.10(1) and later due to memory constraints. You must remain on 9.9(x) or lower to continue using this module. “

So downgrade the OS, at time of writing the newest supported is 9.9(2).

Related Articles, References, Credits, or External Links

NA

FirePOWER: ‘No Authentication Required’ No Usernames

KB ID 0001460

Problem

When attempting to track Users with FirePOWER, the FMC would not show any usernames?

Solution

Theres a lot of reasons this might not work, let’s take a look at a few of them.

Firstly make sure the server running the ‘user agent’ is listed under  System >Integration > Identity Sources > User Agent.

It probably goes without saying, but over on server running the user agent, make sure it can see the Domain Controller(s) and the FMC (everything is green).

Make sure your DC’s are setup to audit logon events! (I’ve had to do this in local policy directly on the DC’s before).

Ensure you have setup a ‘Realm’ for you active directory, and it’s enabled. (System > Integration > Realms).

WARNING: In some versions of the FMC there’s a ‘Bug’ that requires you use the NETBIOS name of your domain rather than its full domain name, (as shown in the example on the right).

After you have made the change, ensure you can still download the users and groups. Don’t forget to ‘Save’ the changes, and redeploy the settings.

Make sure you have an ‘Identity Policy‘, and that it’s set to discover users by ‘Passive Authentication‘, and it’s set to use the ‘Realm‘ you created. (Policies > Access Control > Identity).

In your main ‘Access Control Policy‘ > In at least one of the rules, under ‘Users‘, ensure that your ‘Realm‘ is selected and added. (Policies > Access Control).

You also under your ‘Network Discovery‘ policy make sure ‘Users‘ has been added.

Then take a look under Analysis > Users > User Activity. Make sure that logon events are getting logged, and mapped to IP addresses.

Once all the boxes are ‘ticked’, users should start appearing.

Related Articles, References, Credits, or External Links

NA

Cisco FirePOWER (On-Box / ASDM) Change the Time Zone

KB ID 0001363

Problem

At first this was just a bug, now it’s annoying, I don’t know why Cisco have not got round to fixing this, it’s still a problem in the latest (6.2.2 at time of writing,) version.

Solution

Configuration > ASA FirePOWER Configuration > Local > System Policy > Time > Synchronisation > Manually > Save Policy and  Exit.

Deploy > Deploy FirePOWER Changes > Deploy.

To View Task Progress: Monitoring > ASA FirePOWER Monitoring > Ensure the policy has applied successfully, (go and have a coffee).

Configuration > ASA FirePOWER Configuration > Local > Configuration > Time > Select the time zone ‘Hyperlink’ > Set the correct zone > Save > Done.

Configuration > ASA FirePOWER Configuration > Local > System Policy > Time > Synchronisation > Via NTP From… > Type in a public NTP Server  > Save Policy and  Exit.

or use;

[box]

0.sourcefire.pool.ntp.org, 1.sourcefire.pool.ntp.org, 2.sourcefire.pool.ntp.org, 3.sourcefire.pool.ntp.org

[/box]

Deploy > Deploy FirePOWER Changes > Deploy.

Related Articles, References, Credits, or External Links

Special Thanks to Craig Paolozzi for this article, because he asks me how to do it, every 27 days.

Updating FirePOWER Module (From ASDM)

KB ID 0001348 

Problem

Normally I don’t like upgrading the SFR this way. But then I tend to install new firewalls set them up and walk away, so its easier (and a LOT quicker) to simply image the module to the latest version and then set it up.

Like So; Re-Image and Update the Cisco FirePOWER Services Module

This week I had an existing customer, who has an ASA5508-X but wasn’t using his FirePOWER, I’d installed the controller licence when I set it up originally, (as a safe guard in case the licence got lost, which nearly always happens!) The firewall was pretty much up to date but the SFR was running 5.4.0 (at time of writing we are at 6.2.2). So Instead of imaging it I decided to upgrade it, this takes a LOOOOOOOONG TIME! (4-6 hours per upgrade) and you cannot simply upgrade straight to the latest version.

Thankfully this does not affect the firewall itself, (assuming you set the SFR to Fail Open).

Solution

First task is to find out what the latest version is, at time of writing thats 6.2.2, open the release notes for that version and locate the upgrade path, it looks like this;

Well that’s a lot of upgrades! You may notice that there’s some ‘pre-installation packages’. Sometimes when you go to the downloads section at Cisco these are no-where to be found! This happens when a version gets updated, in the example above one of my steps is 6.0.1 pre installation package, this was no where to be found, so I actually used 6.0.1-29.

The files you need are the ones which end in .sh, i.e. Cisco_Network_Sensor_Patch-6.0.1-29.sh (DON’T Email me asking for updates you need a valid Cisco support agreement tied to your Cisco CCO login.)

Once you have downloaded your update, login to the ASDM > Configuration > ASA FirePOWER Configuration > Updates > Upload Update.

Upload your update, (this can take a while).

When uploaded > Select your update > Install, (if the install needs a reboot accept the warning).

Note: This is a reboot of the FirePOWER module, NOT the Firewall.

You can follow progress (to a point) from the task information popup (Once the SFR module goes down you wont see anything apart from an error, unless your version is 6.1.0 or  newer (which shows a nice progress bar). So;

  1. Don’t panic: it looks like it’s crashed for hours – it’s fine.
  2. There are other things you can look at if you’re nervous.

Monitoring FirePOWER upgrades

What I like to do is SSH into the firewall and issue the following command;

[box]debug module-boot[/box]

Then you can (after a long pause of nothing appearing to happen!) see what is going on.

You can also (before it falls over because of the upgrade) look at Monitoring > ASA FirePOWER Monitoring > Task Status.

If you are currently running 6.1.0 or above you get this which is a little better.

Or you can connect directly to the FirePOWER module IP (you will need to know the admin password) to watch progress.

Back at the firewall, if you issue a ‘show module‘ command during the upgrade it looks like the module is broken! This will be the same of a few hours!

[box]

PETES-FW# show module

Mod  Card Type                                    Model              Serial No.
---- -------------------------------------------- ------------------ -----------
   1 ASA 5508-X with FirePOWER services, 8GE, AC, ASA5508            JAD2008761R
 sfr FirePOWER Services Software Module           ASA5508            JAD2008761R

Mod  MAC Address Range                 Hw Version   Fw Version   Sw Version
---- --------------------------------- ------------ ------------ ---------------
   1 00c8.8ba0.9b71 to 00c8.8ba0.9b90  1.0          1.1.8        9.7(1)
 sfr 00c8.8ba0.9b70 to 00c8.8ba0.9b89  N/A          N/A          6.0.0-1005

Mod  SSM Application Name           Status           SSM Application Version
---- ------------------------------ ---------------- --------------------------
 sfr ASA FirePOWER                  Not Applicable   6.0.0-1005

Mod  Status             Data Plane Status     Compatibility
---- ------------------ --------------------- -------------
   1 Up Sys             Not Applicable
 sfr Unresponsive       Not Applicable

MANY HOURS LATER

PETES-FW# show module

Mod  Card Type                                    Model              Serial No.
---- -------------------------------------------- ------------------ -----------
   1 ASA 5508-X with FirePOWER services, 8GE, AC, ASA5508            JAD2008761R
 sfr FirePOWER Services Software Module           ASA5508            JAD2008761R

Mod  MAC Address Range                 Hw Version   Fw Version   Sw Version
---- --------------------------------- ------------ ------------ ---------------
   1 00c8.8ba0.9b71 to 00c8.8ba0.9b79  1.0          1.1.8        9.7(1)
 sfr 00c8.8ba0.9b70 to 00c8.8ba0.9b70  N/A          N/A          6.0.1-29

Mod  SSM Application Name           Status           SSM Application Version
---- ------------------------------ ---------------- --------------------------
 sfr ASA FirePOWER                  Up               6.0.1-29

Mod  Status             Data Plane Status     Compatibility
---- ------------------ --------------------- -------------
   1 Up Sys             Not Applicable
 sfr Up                 Up

[/box]

Related Articles, References, Credits, or External Links

NA